Securing The Digital Commerce Ecosystem For Merchants, Consumers, And Banks
FinTech, Financial Services & Technology
HQ - Atlanta, Georgia
In terms of multi-tasking, GreenSky had “multiple irons in the fire” across their DevOps environment. The company was facing the standard technology growing pains having migrated from on-premises to a cloud platform (AWS), and realizing they needed greater flexibility and scalability.
Payment options are an integral part of the customer experience. Our customers are looking at ways to increase their spending power. It is incumbent on GreenSky and our technology partners to provide a secure, frictionless platform in order to fulfill these demands.”
Sr. DevSecOps Engineer
Founded in 2006, GreenSky, Inc. is a leading financial technology company “Powering Commerce at the Point-of-Sale” for a growing ecosystem of merchants, consumers and banks. Their highly scalable, proprietary technology platform enables nearly 16,000 merchants to offer frictionless promotional payment options to consumers, driving increased sales volume and accelerated cash flow.Banks leverage GreenSky’s technology to provide loans to super-prime and prime credit consumers nationwide. Since their inception, over 2.4 million consumers have financed over $17 billion of commerce usingGreenSky’s paperless, real-time “apply and buy” technology.
As an innovative Fintech company, GreenSky has been disrupting the lending business with on-the-spot financing via their network of contractors and bank partners. As a mobile-first financial services company, GreenSky is not itself a traditional lender or bank, yet rather a technology platform facilitating promotional financing at the point of commerce.
The Journey to Modern Software Application and a Collaborative Security Posture
GreenSky faced the following challenges:
- Cumbersome workflows dictated a more microservices approach allowing the DevOps team to deploy a continuous delivery of complex applications.
- Recognized the need to automate and secure processes vs. their monolithic and siloed approach that resulted in piecemeal development and production.
- Align and reconcile priorities between DevOps and Security teams to “Shift Left” so deadlines are met while improving quality and reducing defects during the software development lifecycle (SDLC).
- Required detection and remediation of Java code vulnerabilities and other open source dependencies in applications.
Inherent during the growth of any software company is the necessity to streamline and secure the SDLC so that all key stakeholders are seamlessly aligned throughout the entire DevOps process—from initial code builds to post-production.
GreenSky is no exception to this process, finding itself in need of inter-department collaboration as they started migrating critical capabilities like application security to the cloud. Continual, manual processes and complex workflows quickly gave rise to a transition to a DevOps mindset and technology processes that are reliable and repeatable — these are the hallmarks of security automation.
Previously, the use of manual static (SAST) and dynamic (DAST) testing tools, and the need for security reviews would delay agile sprints in development, frustrating stakeholders like project owners. Additionally, the cultural differences and priorities between development teams (who value product features and hi-velocity releases), and security operations teams (who value code stability and security) often find each other at odds over these priorities — causing friction between these groups.
Contrast Assess has democratized this continuous review process, allowing teams to integrate security into their existing tools in order to make more informed decisions resulting in secure code releases. It also addresses the numerous industry audits, compliance, and regulations that need to be observed.
“In order to release code more rapidly, we are seeing more aspects of the software development lifecycle being forced to shift-left. Due to the rapid pace of the speed in which software is updated and delivered, automated application security via Contrast enables us to deliver on this.”
– Lori Temples, Sr. Director of IT Security, GreenSky
Migrating to a Cloud Environment - Improving Cost, Performance, and Security
Before GreenSky shifted their software development to a hosted cloud environment, they were using VMware on premises. Realizing this approach wouldn’t be sustainable for the long-term, they then migrated their stack directly into Amazon’s EC2 platform with nominal changes to the existing architecture.
Shortly after, they started optimizing their application structure from a monolithic style to a more lightweight microservices approach deployed across various smaller EC2 containers, using fewer resources than previous virtual machines.
GreenSky’s transformation strategy migrated legacy services into Docker (managed with Chef), and then placed everything in ECS/Fargate, the compute engine for deploying and managing containers for ECS. Developers were able to get Contrast to integrate into the Docker images and environmental variables were handled via the Jenkins pipeline. This allowed for a seamless migration to ECS/Fargate. The process can now migrate to a serverless framework by harnessing the benefits of AWS Lambda - provisioning resources while working in concert with Contrast to implement the capabilities of Contrast Assess.
Incorporation of Automated AppSec for Faster Builds
Prior to deploying Contrast Assess, a security risk assessment had to be performed on every component at every stage of the SDLC (Dev, QA, UAT, Production) siphoning valuable time and resources. Now that development teams are running code with Contrast Security, developers can weave in security with Contrast as they write code.
Saving time: Freeing up around 10 hours a week for 2-3 people to focus on other security related work. Gaining visibility sooner: Vulnerabilities are found much earlier, eliminating unforeseen and last-minute roadblocks for quicker deployment.
Getting results faster: Starting each project with secure coding in mind, developers can see their results almost immediately with the IDE plugin.
- Successfully migrated from on-premises to the AWS cloud.
- Automated key capabilities such as deployments (AppSec), and documentation (artifacts and binary repositories).
- Dockerizing via AWS for greater agility and speed. Containerized applications can scale incredibly fast, making it easy for delivery teams to pivot between frameworks.
- DevOps tools were consolidated, reducing time and wasted resources to ensure code is more effectively deployed.
- QA is provided visibility into the routes that had been exercised during testing via the Contrast Console.
- Library analysis and updates are now more easily managed and inventoried.
- Integrating Contrast with their CI/CD pipeline tools (Jenkins) as well as an orchestration tool (Chef) that also manage core AWS components.
As an innovative Fintech company, GreenSky can now accelerate its time-to-market with secure applications that were paramount to highlighting business value, operational efficiencies, flexibility and overall success. Migrating to the cloud via Amazon Web Services (AWS) and augmenting application security with Contrast helped GreenSky achieve these major strategic initiatives. By implementing Contrast Assess as part of their secure DevOps program, GreenSky established a shared responsibility model that helps galvanize and integrate security into existing workflows. As a result, this allowed GreenSky to bring their digital financial ecosystem model to the market faster and securely to meet their customer demands.
Get Secure Code Moving
Now for Free
Schedule a one-to-one demo to see what the Contrast Secure Code Platform could do for you.